deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 22:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into metasecurity7

Browse Source
This commit is contained in:
Angela Fleischmann 2022-10-25 16:15:30 -06:00 committed by GitHub
commit 3fd5638c6f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
43 changed files with 139 additions and 139 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/threat-protection/auditing/event-4752.md
View File

@ -2,7 +2,7 @@
title: 4752(S) A member was removed from a security-disabled global group. (Windows 10) title: 4752(S) A member was removed from a security-disabled global group. (Windows 10)
description: Describes security event 4752(S) A member was removed from a security-disabled global group. description: Describes security event 4752(S) A member was removed from a security-disabled global group.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4752(S): A member was removed from a security-disabled global group. # 4752(S): A member was removed from a security-disabled global group.

4
windows/security/threat-protection/auditing/event-4753.md
View File

@ -2,7 +2,7 @@
title: 4753(S) A security-disabled global group was deleted. (Windows 10) title: 4753(S) A security-disabled global group was deleted. (Windows 10)
description: Describes security event 4753(S) A security-disabled global group was deleted. description: Describes security event 4753(S) A security-disabled global group was deleted.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4753(S): A security-disabled global group was deleted. # 4753(S): A security-disabled global group was deleted.

4
windows/security/threat-protection/auditing/event-4764.md
View File

@ -2,7 +2,7 @@
title: 4764(S) A group's type was changed. (Windows 10) title: 4764(S) A group's type was changed. (Windows 10)
description: Describes security event 4764(S) A group's type was changed. This event is generated when the type of a group is changed. description: Describes security event 4764(S) A group's type was changed. This event is generated when the type of a group is changed.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4764(S): A groups type was changed. # 4764(S): A groups type was changed.

4
windows/security/threat-protection/auditing/event-4765.md
View File

@ -2,7 +2,7 @@
title: 4765(S) SID History was added to an account. (Windows 10) title: 4765(S) SID History was added to an account. (Windows 10)
description: Describes security event 4765(S) SID History was added to an account. This event is generated when SID History is added to an account. description: Describes security event 4765(S) SID History was added to an account. This event is generated when SID History is added to an account.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4765(S): SID History was added to an account. # 4765(S): SID History was added to an account.

4
windows/security/threat-protection/auditing/event-4766.md
View File

@ -2,7 +2,7 @@
title: 4766(F) An attempt to add SID History to an account failed. (Windows 10) title: 4766(F) An attempt to add SID History to an account failed. (Windows 10)
description: Describes security event 4766(F) An attempt to add SID History to an account failed. description: Describes security event 4766(F) An attempt to add SID History to an account failed.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4766(F): An attempt to add SID History to an account failed. # 4766(F): An attempt to add SID History to an account failed.

4
windows/security/threat-protection/auditing/event-4767.md
View File

@ -2,7 +2,7 @@
title: 4767(S) A user account was unlocked. (Windows 10) title: 4767(S) A user account was unlocked. (Windows 10)
description: Describes security event 4767(S) A user account was unlocked. This event is generated every time a user account is unlocked. description: Describes security event 4767(S) A user account was unlocked. This event is generated every time a user account is unlocked.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4767(S): A user account was unlocked. # 4767(S): A user account was unlocked.

26
windows/security/threat-protection/auditing/event-4768.md
View File

@ -2,7 +2,7 @@
title: 4768(S, F) A Kerberos authentication ticket (TGT) was requested. (Windows 10) title: 4768(S, F) A Kerberos authentication ticket (TGT) was requested. (Windows 10)
description: Describes security event 4768(S, F) A Kerberos authentication ticket (TGT) was requested. description: Describes security event 4768(S, F) A Kerberos authentication ticket (TGT) was requested.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 10/20/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4768(S, F): A Kerberos authentication ticket (TGT) was requested. # 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
@ -180,11 +180,11 @@ The most common values:
| 14 | Request-anonymous | KILE not use this flag. | | 14 | Request-anonymous | KILE not use this flag. |
| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. | | 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the "canonicalize" KDC option for the AS-REQ or TGS-REQ. |
| 16-25 | Unused | - | | 16-25 | Unused | - |
| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor<br>the DISABLE-TRANSITED-CHECK option.<br>Should not be in use, because Transited-policy-checked flag is not supported by KILE. | | 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor<br>the DISABLE-TRANSITED-CHECK option.<br>Should not be in use, because Transited-policy-checked flag isn't supported by KILE. |
| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. | | 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. |
| 28 | Enc-tkt-in-skey | No information. | | 28 | Enc-tkt-in-skey | No information. |
| 29 | Unused | - | | 29 | Unused | - |
| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. | | 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. |
| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE. | | 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE. |
## Table 2. Kerberos ticket flags ## Table 2. Kerberos ticket flags
@ -209,7 +209,7 @@ The most common values:
| 0xA | KDC\_ERR\_CANNOT\_POSTDATE | Ticket (TGT) not eligible for postdating | This error can occur if a client requests postdating of a Kerberos ticket. Postdating is the act of requesting that a tickets start time be set into the future.<br>It also can occur if there is a time difference between the client and the KDC. | | 0xA | KDC\_ERR\_CANNOT\_POSTDATE | Ticket (TGT) not eligible for postdating | This error can occur if a client requests postdating of a Kerberos ticket. Postdating is the act of requesting that a tickets start time be set into the future.<br>It also can occur if there is a time difference between the client and the KDC. |
| 0xB | KDC\_ERR\_NEVER\_VALID | Requested start time is later than end time | There is a time difference between the KDC and the client. | | 0xB | KDC\_ERR\_NEVER\_VALID | Requested start time is later than end time | There is a time difference between the KDC and the client. |
| 0xC | KDC\_ERR\_POLICY | Requested start time is later than end time | This error is usually the result of logon restrictions in place on a users account. For example workstation restriction, smart card authentication requirement or logon time restriction. | | 0xC | KDC\_ERR\_POLICY | Requested start time is later than end time | This error is usually the result of logon restrictions in place on a users account. For example workstation restriction, smart card authentication requirement or logon time restriction. |
| 0xD | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | Impending expiration of a TGT.<br>The SPN to which the client is attempting to delegate credentials is not in its Allowed-to-delegate-to list | | 0xD | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | Impending expiration of a TGT.<br>The SPN to which the client is attempting to delegate credentials isn't in its Allowed-to-delegate-to list |
| 0xE | KDC\_ERR\_ETYPE\_NOTSUPP | KDC has no support for encryption type | In general, this error occurs when the KDC or a client receives a packet that it cannot decrypt. | | 0xE | KDC\_ERR\_ETYPE\_NOTSUPP | KDC has no support for encryption type | In general, this error occurs when the KDC or a client receives a packet that it cannot decrypt. |
| 0xF | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | The KDC, server, or client receives a packet for which it does not have a key of the appropriate encryption type. The result is that the computer is unable to decrypt the ticket. | | 0xF | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | The KDC, server, or client receives a packet for which it does not have a key of the appropriate encryption type. The result is that the computer is unable to decrypt the ticket. |
| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted.<br>It can also happen when a domain controller doesnt have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).<br>This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | | 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted.<br>It can also happen when a domain controller doesnt have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).<br>This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
@ -226,7 +226,7 @@ The most common values:
| 0x1D | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. | | 0x1D | KDC\_ERR\_SVC\_UNAVAILABLE | KDC is unavailable | No information. |
| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. | | 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. |
| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | The ticket has expired | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message. | | 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | The ticket has expired | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message. |
| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.<br>If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. | | 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server isn't yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.<br>If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. |
| 0x22 | KRB\_AP\_ERR\_REPEAT | The request is a replay | This error indicates that a specific authenticator showed up twice — the KDC has detected that this session ticket duplicates one that it has already received. | | 0x22 | KRB\_AP\_ERR\_REPEAT | The request is a replay | This error indicates that a specific authenticator showed up twice — the KDC has detected that this session ticket duplicates one that it has already received. |
| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket is not for us | The server has received a ticket that was meant for a different realm. | | 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket is not for us | The server has received a ticket that was meant for a different realm. |
| 0x24 | KRB\_AP\_ERR\_BADMATCH | The ticket and authenticator do not match | The KRB\_TGS\_REQ is being sent to the wrong KDC.<br>There is an account mismatch during protocol transition. | | 0x24 | KRB\_AP\_ERR\_BADMATCH | The ticket and authenticator do not match | The KRB\_TGS\_REQ is being sent to the wrong KDC.<br>There is an account mismatch during protocol transition. |
@ -236,18 +236,18 @@ The most common values:
| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Message type is unsupported | This message is generated when target server finds that message format is wrong. This applies to KRB\_AP\_REQ, KRB\_SAFE, KRB\_PRIV and KRB\_CRED messages. <br>This error also generated if use of UDP protocol is being attempted with User-to-User authentication. | | 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Message type is unsupported | This message is generated when target server finds that message format is wrong. This applies to KRB\_AP\_REQ, KRB\_SAFE, KRB\_PRIV and KRB\_CRED messages. <br>This error also generated if use of UDP protocol is being attempted with User-to-User authentication. |
| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified and checksum didn't match | The authentication data was encrypted with the wrong key for the intended server.<br>The authentication data was modified in transit by a hardware or software error, or by an attacker.<br>The client sent the authentication data to the wrong server because incorrect DNS data caused the client to send the request to the wrong server.<br>The client sent the authentication data to the wrong server because DNS data was out-of-date on the client. | | 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified and checksum didn't match | The authentication data was encrypted with the wrong key for the intended server.<br>The authentication data was modified in transit by a hardware or software error, or by an attacker.<br>The client sent the authentication data to the wrong server because incorrect DNS data caused the client to send the request to the wrong server.<br>The client sent the authentication data to the wrong server because DNS data was out-of-date on the client. |
| 0x2A | KRB\_AP\_ERR\_BADORDER | Message out of order (possible tampering) | This event generates for KRB\_SAFE and KRB\_PRIV messages if an incorrect sequence number is included, or if a sequence number is expected but not present. See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. | | 0x2A | KRB\_AP\_ERR\_BADORDER | Message out of order (possible tampering) | This event generates for KRB\_SAFE and KRB\_PRIV messages if an incorrect sequence number is included, or if a sequence number is expected but not present. See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. |
| 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. If the key version indicated by the Ticket in the KRB\_AP\_REQ is not one the server can use (e.g., it indicates an old key, and the server no longer possesses a copy of the old key), the KRB\_AP\_ERR\_BADKEYVER error is returned. | | 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key isn't available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. If the key version indicated by the Ticket in the KRB\_AP\_REQ isn't one the server can use (e.g., it indicates an old key, and the server no longer possesses a copy of the old key), the KRB\_AP\_ERR\_BADKEYVER error is returned. |
| 0x2D | KRB\_AP\_ERR\_NOKEY | Service key not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. Because it is possible for the server to be registered in multiple realms, with different keys in each, the realm field in the unencrypted portion of the ticket in the KRB\_AP\_REQ is used to specify which secret key the server should use to decrypt that ticket. The KRB\_AP\_ERR\_NOKEY error code is returned if the server doesn't have the proper key to decipher the ticket. | | 0x2D | KRB\_AP\_ERR\_NOKEY | Service key not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. Because it is possible for the server to be registered in multiple realms, with different keys in each, the realm field in the unencrypted portion of the ticket in the KRB\_AP\_REQ is used to specify which secret key the server should use to decrypt that ticket. The KRB\_AP\_ERR\_NOKEY error code is returned if the server doesn't have the proper key to decipher the ticket. |
| 0x2E | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | No information. | | 0x2E | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | No information. |
| 0x2F | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | No information. | | 0x2F | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | No information. |
| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | According [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) this error message is obsolete. | | 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | According to [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) this error message is obsolete. |
| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | No information. | | 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | No information. |
| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after that, the user-supplied checksum in the Authenticator MUST be verified against the contents of the request. The message MUST be rejected either if the checksums do not match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum is not collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). | | 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after that, the user-supplied checksum in the Authenticator MUST be verified against the contents of the request. The message MUST be rejected either if the checksums do not match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum isn't collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). |
| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. | | 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. |
| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. | | 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. |
| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.<br>Multiple recent password changes have not propagated.<br>Crypto subsystem error caused by running out of memory.<br>SPN too long.<br>SPN has too many parts. | | 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.<br>Multiple recent password changes have not propagated.<br>Crypto subsystem error caused by running out of memory.<br>SPN too long.<br>SPN has too many parts. |
| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that does not understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. | | 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that does not understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. |
| 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when users smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) is not trusted by the domain controller. | | 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or isn't implemented | This typically happens when users smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) isn't trusted by the domain controller. |
| 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client does not possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. | | 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client does not possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. |
| 0x40 | KDC\_ERR\_INVALID\_SIG | The signature is invalid | This error is related to PKINIT. If a PKI trust relationship exists, the KDC then verifies the client's signature on AuthPack (TGT request signature). If that fails, the KDC returns an error message of type KDC\_ERR\_INVALID\_SIG. | | 0x40 | KDC\_ERR\_INVALID\_SIG | The signature is invalid | This error is related to PKINIT. If a PKI trust relationship exists, the KDC then verifies the client's signature on AuthPack (TGT request signature). If that fails, the KDC returns an error message of type KDC\_ERR\_INVALID\_SIG. |
| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | A higher encryption level is needed | If the clientPublicValue field is filled in, indicating that the client wishes to use Diffie-Hellman key agreement, then the KDC checks to see that the parameters satisfy its policy. If they do not (e.g., the prime size is insufficient for the expected encryption type), then the KDC sends back an error message of type KDC\_ERR\_KEY\_TOO\_WEAK. | | 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | A higher encryption level is needed | If the clientPublicValue field is filled in, indicating that the client wishes to use Diffie-Hellman key agreement, then the KDC checks to see that the parameters satisfy its policy. If they do not (e.g., the prime size is insufficient for the expected encryption type), then the KDC sends back an error message of type KDC\_ERR\_KEY\_TOO\_WEAK. |
@ -317,11 +317,11 @@ For 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Supplied Realm Name”** corresponding to another domain or “external” location. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Supplied Realm Name”** corresponding to another domain or “external” location. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that dont comply with naming conventions. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that dont comply with naming conventions. |
- You can track all [4768](event-4768.md) events where the **Client Address** is not from your internal IP address range or not from private IP address ranges. - You can track all [4768](event-4768.md) events where the **Client Address** isn't from your internal IP address range or not from private IP address ranges.
- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4768](event-4768.md) events. If **Client Address** is not from the allowlist, generate the alert. - If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4768](event-4768.md) events. If **Client Address** isn't from the allowlist, generate the alert.
- All **Client Address** = ::1 means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = ::1 and **Account Name** is not allowed to log on to any domain controller. - All **Client Address** = `::1` means local authentication. If you know the list of accounts which should log on to the domain controllers, then you need to monitor for all possible violations, where **Client Address** = `::1` and **Account Name** isn't allowed to log on to any domain controller.
- All [4768](event-4768.md) events with **Client Port** field value &gt; 0 and &lt; 1024 should be examined, because a well-known port was used for outbound connection. - All [4768](event-4768.md) events with **Client Port** field value &gt; 0 and &lt; 1024 should be examined, because a well-known port was used for outbound connection.

72
windows/security/threat-protection/auditing/event-4769.md
View File

@ -2,7 +2,7 @@
title: 4769(S, F) A Kerberos service ticket was requested. (Windows 10) title: 4769(S, F) A Kerberos service ticket was requested. (Windows 10)
description: Describes security event 4769(S, F) A Kerberos service ticket was requested. description: Describes security event 4769(S, F) A Kerberos service ticket was requested.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4769(S, F): A Kerberos service ticket was requested. # 4769(S, F): A Kerberos service ticket was requested.
@ -27,9 +27,9 @@ This event generates every time Key Distribution Center gets a Kerberos Ticket G
This event generates only on domain controllers. This event generates only on domain controllers.
If TGS issue fails then you will see Failure event with **Failure Code** field not equal to “**0x0**”. If TGS issue fails then you'll see Failure event with **Failure Code** field not equal to “**0x0**”.
You will typically see many Failure events with **Failure Code** “**0x20**”, which simply means that a TGS ticket has expired. These are informational messages and have little to no security relevance. You'll typically see many Failure events with **Failure Code** “**0x20**”, which simply means that a TGS ticket has expired. These are informational messages and have little to no security relevance.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. > **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@ -86,7 +86,7 @@ You will typically see many Failure events with **Failure Code** “**0x20**”,
- Computer account example: WIN81$@CONTOSO.LOCAL - Computer account example: WIN81$@CONTOSO.LOCAL
> **Note** Although this field is in the UPN format, this is not the attribute value of "UserPrincipalName" of the user account. It is the "normalized" name or implicit UPN. It is built from the user SamAccountName and the Active Directory domain name. > **Note** Although this field is in the UPN format, this isn't the attribute value of "UserPrincipalName" of the user account. It is the "normalized" name or implicit UPN. It is built from the user SamAccountName and the Active Directory domain name.
This parameter in this event is optional and can be empty in some cases. This parameter in this event is optional and can be empty in some cases.
@ -112,11 +112,11 @@ You will typically see many Failure events with **Failure Code** “**0x20**”,
- This parameter in this event is optional and can be empty in some cases. - This parameter in this event is optional and can be empty in some cases.
- **Service ID** \[Type = SID\]**:** SID of the account or computer object for which the TGS ticket was requested. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - **Service ID** \[Type = SID\]**:** SID of the account or computer object for which the TGS ticket was requested. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event.
- **NULL SID** this value shows in Failure events. - **NULL SID** this value shows in Failure events.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). > **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it can't ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers).
**Network Information:** **Network Information:**
@ -173,12 +173,12 @@ The most common values:
| 14 | Request-anonymous | KILE not use this flag. | | 14 | Request-anonymous | KILE not use this flag. |
| 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the “canonicalize” KDC option for the AS-REQ or TGS-REQ. | | 15 | Name-canonicalize | In order to request referrals the Kerberos client MUST explicitly request the “canonicalize” KDC option for the AS-REQ or TGS-REQ. |
| 16-25 | Unused | - | | 16-25 | Unused | - |
| 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor<br>the DISABLE-TRANSITED-CHECK option.<br>Should not be in use, because Transited-policy-checked flag is not supported by KILE. | | 26 | Disable-transited-check | By default the KDC will check the transited field of a TGT against the policy of the local realm before it will issue derivative tickets based on the TGT. If this flag is set in the request, checking of the transited field is disabled. Tickets issued without the performance of this check will be noted by the reset (0) value of the TRANSITED-POLICY-CHECKED flag, indicating to the application server that the transited field must be checked locally. KDCs are encouraged but not required to honor<br>the DISABLE-TRANSITED-CHECK option.<br>Should not be in use, because Transited-policy-checked flag isn't supported by KILE. |
| 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life cannot otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. | | 27 | Renewable-ok | The RENEWABLE-OK option indicates that a renewable ticket will be acceptable if a ticket with the requested life can't otherwise be provided, in which case a renewable ticket may be issued with a renew-till equal to the requested end time. The value of the renew-till field may still be limited by local limits, or limits selected by the individual principal or server. |
| 28 | Enc-tkt-in-skey | No information. | | 28 | Enc-tkt-in-skey | No information. |
| 29 | Unused | - | | 29 | Unused | - |
| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. | | 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field hasn't passed. The ticket to be renewed is passed in the padata field as part of the authentication header. |
| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE. <span id="kerberos-encryption-types" /> | | 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Shouldn't be in use, because postdated tickets aren't supported by KILE. <span id="kerberos-encryption-types" /> |
| ## Table 4. Kerberos encryption types | | | | ## Table 4. Kerberos encryption types | | |
- **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used for issued TGS. - **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used for issued TGS.
@ -204,56 +204,56 @@ The most common values:
| 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | No information. | | 0x4 | KDC\_ERR\_C\_OLD\_MAST\_KVNO | Client's key encrypted in old master key | No information. |
| 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | No information. | | 0x5 | KDC\_ERR\_S\_OLD\_MAST\_KVNO | Server's key encrypted in old master key | No information. |
| 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | The username doesnt exist. | | 0x6 | KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN | Client not found in Kerberos database | The username doesnt exist. |
| 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | This error can occur if the domain controller cannot find the servers name in Active Directory. This error is similar to KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN except that it occurs when the server name cannot be found. | | 0x7 | KDC\_ERR\_S\_PRINCIPAL\_UNKNOWN | Server not found in Kerberos database | This error can occur if the domain controller can't find the servers name in Active Directory. This error is similar to KDC\_ERR\_C\_PRINCIPAL\_UNKNOWN except that it occurs when the server name can't be found. |
| 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in KDC database | This error occurs if duplicate principal names exist. Unique principal names are crucial for ensuring mutual authentication. Thus, duplicate principal names are strictly forbidden, even across multiple realms. Without unique principal names, the client has no way of ensuring that the server it is communicating with is the correct one. | | 0x8 | KDC\_ERR\_PRINCIPAL\_NOT\_UNIQUE | Multiple principal entries in KDC database | This error occurs if duplicate principal names exist. Unique principal names are crucial for ensuring mutual authentication. Thus, duplicate principal names are strictly forbidden, even across multiple realms. Without unique principal names, the client has no way of ensuring that the server it is communicating with is the correct one. |
| 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key (master key) | No master key was found for client or server. Usually it means that administrator should reset the password on the account. | | 0x9 | KDC\_ERR\_NULL\_KEY | The client or server has a null key (master key) | No master key was found for client or server. Usually it means that administrator should reset the password on the account. |
| 0xA | KDC\_ERR\_CANNOT\_POSTDATE | Ticket (TGT) not eligible for postdating | This error can occur if a client requests postdating of a Kerberos ticket. Postdating is the act of requesting that a tickets start time be set into the future.<br>It also can occur if there is a time difference between the client and the KDC. | | 0xA | KDC\_ERR\_CANNOT\_POSTDATE | Ticket (TGT) not eligible for postdating | This error can occur if a client requests postdating of a Kerberos ticket. Postdating is the act of requesting that a tickets start time be set into the future.<br>It also can occur if there is a time difference between the client and the KDC. |
| 0xB | KDC\_ERR\_NEVER\_VALID | Requested start time is later than end time | There is a time difference between the KDC and the client. | | 0xB | KDC\_ERR\_NEVER\_VALID | Requested start time is later than end time | There's a time difference between the KDC and the client. |
| 0xC | KDC\_ERR\_POLICY | Requested start time is later than end time | This error is usually the result of logon restrictions in place on a users account. For example workstation restriction, smart card authentication requirement or logon time restriction. | | 0xC | KDC\_ERR\_POLICY | Requested start time is later than end time | This error is usually the result of logon restrictions in place on a users account. For example workstation restriction, smart card authentication requirement or logon time restriction. |
| 0xD | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | Impending expiration of a TGT.<br>The SPN to which the client is attempting to delegate credentials is not in its Allowed-to-delegate-to list | | 0xD | KDC\_ERR\_BADOPTION | KDC cannot accommodate requested option | Impending expiration of a TGT.<br>The SPN to which the client is attempting to delegate credentials isn't in its Allowed-to-delegate-to list |
| 0xE | KDC\_ERR\_ETYPE\_NOTSUPP | KDC has no support for encryption type | In general, this error occurs when the KDC or a client receives a packet that it cannot decrypt. | | 0xE | KDC\_ERR\_ETYPE\_NOTSUPP | KDC has no support for encryption type | In general, this error occurs when the KDC or a client receives a packet that it can't decrypt. |
| 0xF | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | The KDC, server, or client receives a packet for which it does not have a key of the appropriate encryption type. The result is that the computer is unable to decrypt the ticket. | | 0xF | KDC\_ERR\_SUMTYPE\_NOSUPP | KDC has no support for checksum type | The KDC, server, or client receives a packet for which it doesn't have a key of the appropriate encryption type. The result is that the computer is unable to decrypt the ticket. |
| 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate cannot be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted.<br>It can also happen when a domain controller doesnt have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).<br>This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | | 0x10 | KDC\_ERR\_PADATA\_TYPE\_NOSUPP | KDC has no support for PADATA type (pre-authentication data) | Smart card logon is being attempted and the proper certificate can't be located. This can happen because the wrong certification authority (CA) is being queried or the proper CA can't be contacted.<br>It can also happen when a domain controller doesnt have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates).<br>This error code can't occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
| 0x11 | KDC\_ERR\_TRTYPE\_NO\_SUPP | KDC has no support for transited type | No information. | | 0x11 | KDC\_ERR\_TRTYPE\_NO\_SUPP | KDC has no support for transited type | No information. |
| 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Clients credentials have been revoked | This might be because of an explicit disabling or because of other restrictions in place on the account. For example: account disabled, expired, or locked out. | | 0x12 | KDC\_ERR\_CLIENT\_REVOKED | Clients credentials have been revoked | This might be because of an explicit disabling or because of other restrictions in place on the account. For example: account disabled, expired, or locked out. |
| 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked | No information. | | 0x13 | KDC\_ERR\_SERVICE\_REVOKED | Credentials for server have been revoked | No information. |
| 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked | Since the remote KDC may change its PKCROSS key while there are PKCROSS tickets still active, it SHOULD cache the old PKCROSS keys until the last issued PKCROSS ticket expires. Otherwise, the remote KDC will respond to a client with a KRB-ERROR message of type KDC\_ERR\_TGT\_REVOKED. See [RFC1510](https://www.ietf.org/proceedings/49/I-D/draft-ietf-cat-kerberos-pk-cross-07.txt) for more details. | | 0x14 | KDC\_ERR\_TGT\_REVOKED | TGT has been revoked | Since the remote KDC may change its PKCROSS key while there are PKCROSS tickets still active, it SHOULD cache the old PKCROSS keys until the last issued PKCROSS ticket expires. Otherwise, the remote KDC will respond to a client with a KRB-ERROR message of type KDC\_ERR\_TGT\_REVOKED. See [RFC1510](https://www.ietf.org/proceedings/49/I-D/draft-ietf-cat-kerberos-pk-cross-07.txt) for more details. |
| 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid—try again later | No information. | | 0x15 | KDC\_ERR\_CLIENT\_NOTYET | Client not yet valid—try again later | No information. |
| 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid—try again later | No information. | | 0x16 | KDC\_ERR\_SERVICE\_NOTYET | Server not yet valid—try again later | No information. |
| 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The users password has expired.<br>This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | | 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The users password has expired.<br>This error code can't occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
| 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided.<br>This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. | | 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided.<br>This error code can't occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event. |
| 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way. | | 0x19 | KDC\_ERR\_PREAUTH\_REQUIRED | Additional pre-authentication required | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients don't request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way. |
| 0x1A | KDC\_ERR\_SERVER\_NOMATCH | KDC does not know about the requested server | No information. | | 0x1A | KDC\_ERR\_SERVER\_NOMATCH | KDC does not know about the requested server | No information. |
| 0x1B | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only | This error occurs because the service is missing an SPN. | | 0x1B | KDC\_ERR\_MUST\_USE\_USER2USER | Server principal valid for user2user only | This error occurs because the service is missing an SPN. |
| 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. | | 0x1F | KRB\_AP\_ERR\_BAD\_INTEGRITY | Integrity check on decrypted field failed | The authenticator was encrypted with something other than the session key. The result is that the client can't decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. |
| 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | The ticket has expired | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message. | | 0x20 | KRB\_AP\_ERR\_TKT\_EXPIRED | The ticket has expired | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message. |
| 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.<br>If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. | | 0x21 | KRB\_AP\_ERR\_TKT\_NYV | The ticket is not yet valid | The ticket presented to the server isn't yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client aren't synchronized.<br>If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well. |
| 0x22 | KRB\_AP\_ERR\_REPEAT | The request is a replay | This error indicates that a specific authenticator showed up twice — the KDC has detected that this session ticket duplicates one that it has already received. | | 0x22 | KRB\_AP\_ERR\_REPEAT | The request is a replay | This error indicates that a specific authenticator showed up twice — the KDC has detected that this session ticket duplicates one that it has already received. |
| 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket is not for us | The server has received a ticket that was meant for a different realm. | | 0x23 | KRB\_AP\_ERR\_NOT\_US | The ticket is not for us | The server has received a ticket that was meant for a different realm. |
| 0x24 | KRB\_AP\_ERR\_BADMATCH | The ticket and authenticator do not match | The KRB\_TGS\_REQ is being sent to the wrong KDC.<br>There is an account mismatch during protocol transition. | | 0x24 | KRB\_AP\_ERR\_BADMATCH | The ticket and authenticator do not match | The KRB\_TGS\_REQ is being sent to the wrong KDC.<br>There's an account mismatch during protocol transition. |
| 0x25 | KRB\_AP\_ERR\_SKEW | The clock skew is too great | This error is logged if a client computer sends a timestamp whose value differs from that of the servers timestamp by more than the number of minutes found in the “Maximum tolerance for computer clock synchronization” setting in Kerberos policy. | | 0x25 | KRB\_AP\_ERR\_SKEW | The clock skew is too great | This error is logged if a client computer sends a timestamp whose value differs from that of the servers timestamp by more than the number of minutes found in the “Maximum tolerance for computer clock synchronization” setting in Kerberos policy. |
| 0x26 | KRB\_AP\_ERR\_BADADDR | Network address in network layer header doesn't match address inside ticket | Session tickets MAY include the addresses from which they are valid. This error can occur if the address of the computer sending the ticket is different from the valid address in the ticket. A possible cause of this could be an Internet Protocol (IP) address change. Another possible cause is when a ticket is passed through a proxy server or NAT. The client is unaware of the address scheme used by the proxy server, so unless the program caused the client to request a proxy server ticket with the proxy server's source address, the ticket could be invalid. | | 0x26 | KRB\_AP\_ERR\_BADADDR | Network address in network layer header doesn't match address inside ticket | Session tickets MAY include the addresses from which they are valid. This error can occur if the address of the computer sending the ticket is different from the valid address in the ticket. A possible cause of this could be an Internet Protocol (IP) address change. Another possible cause is when a ticket is passed through a proxy server or NAT. The client is unaware of the address scheme used by the proxy server, so unless the program caused the client to request a proxy server ticket with the proxy server's source address, the ticket could be invalid. |
| 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version numbers don't match (PVNO) | When an application receives a KRB\_SAFE message, it verifies it. If any error occurs, an error code is reported for use by the application.<br>The message is first checked by verifying that the protocol version and type fields match the current version and KRB\_SAFE, respectively. A mismatch generates a KRB\_AP\_ERR\_BADVERSION.<br>See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. | | 0x27 | KRB\_AP\_ERR\_BADVERSION | Protocol version numbers don't match (PVNO) | When an application receives a KRB\_SAFE message, it verifies it. If any error occurs, an error code is reported for use by the application.<br>The message is first checked by verifying that the protocol version and type fields match the current version and KRB\_SAFE, respectively. A mismatch generates a KRB\_AP\_ERR\_BADVERSION.<br>See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. |
| 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Message type is unsupported | This message is generated when target server finds that message format is wrong. This applies to KRB\_AP\_REQ, KRB\_SAFE, KRB\_PRIV and KRB\_CRED messages. <br>This error also generated if use of UDP protocol is being attempted with User-to-User authentication. | | 0x28 | KRB\_AP\_ERR\_MSG\_TYPE | Message type is unsupported | This message is generated when target server finds that message format is wrong. This applies to KRB\_AP\_REQ, KRB\_SAFE, KRB\_PRIV and KRB\_CRED messages. <br>This error also generated if use of UDP protocol is being attempted with User-to-User authentication. |
| 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified and checksum didn't match | The authentication data was encrypted with the wrong key for the intended server.<br>The authentication data was modified in transit by a hardware or software error, or by an attacker.<br>The client sent the authentication data to the wrong server because incorrect DNS data caused the client to send the request to the wrong server.<br>The client sent the authentication data to the wrong server because DNS data was out-of-date on the client. | | 0x29 | KRB\_AP\_ERR\_MODIFIED | Message stream modified and checksum didn't match | The authentication data was encrypted with the wrong key for the intended server.<br>The authentication data was modified in transit by a hardware or software error, or by an attacker.<br>The client sent the authentication data to the wrong server because incorrect DNS data caused the client to send the request to the wrong server.<br>The client sent the authentication data to the wrong server because DNS data was out-of-date on the client. |
| 0x2A | KRB\_AP\_ERR\_BADORDER | Message out of order (possible tampering) | This event generates for KRB\_SAFE and KRB\_PRIV messages if an incorrect sequence number is included, or if a sequence number is expected but not present. See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. | | 0x2A | KRB\_AP\_ERR\_BADORDER | Message out of order (possible tampering) | This event generates for KRB\_SAFE and KRB\_PRIV messages if an incorrect sequence number is included, or if a sequence number is expected but not present. See [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) for more details. |
| 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. If the key version indicated by the Ticket in the KRB\_AP\_REQ is not one the server can use (e.g., it indicates an old key, and the server no longer possesses a copy of the old key), the KRB\_AP\_ERR\_BADKEYVER error is returned. | | 0x2C | KRB\_AP\_ERR\_BADKEYVER | Specified version of key is not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. If the key version indicated by the Ticket in the KRB\_AP\_REQ isn't one the server can use (e.g., it indicates an old key, and the server no longer possesses a copy of the old key), the KRB\_AP\_ERR\_BADKEYVER error is returned. |
| 0x2D | KRB\_AP\_ERR\_NOKEY | Service key not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. Because it is possible for the server to be registered in multiple realms, with different keys in each, the realm field in the unencrypted portion of the ticket in the KRB\_AP\_REQ is used to specify which secret key the server should use to decrypt that ticket. The KRB\_AP\_ERR\_NOKEY error code is returned if the server doesn't have the proper key to decipher the ticket. | | 0x2D | KRB\_AP\_ERR\_NOKEY | Service key not available | This error might be generated on server side during receipt of invalid KRB\_AP\_REQ message. Because it is possible for the server to be registered in multiple realms, with different keys in each, the realm field in the unencrypted portion of the ticket in the KRB\_AP\_REQ is used to specify which secret key the server should use to decrypt that ticket. The KRB\_AP\_ERR\_NOKEY error code is returned if the server doesn't have the proper key to decipher the ticket. |
| 0x2E | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | No information. | | 0x2E | KRB\_AP\_ERR\_MUT\_FAIL | Mutual authentication failed | No information. |
| 0x2F | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | No information. | | 0x2F | KRB\_AP\_ERR\_BADDIRECTION | Incorrect message direction | No information. |
| 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | According [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) this error message is obsolete. | | 0x30 | KRB\_AP\_ERR\_METHOD | Alternative authentication method required | According to [RFC4120](http://www.ietf.org/rfc/rfc4120.txt) this error message is obsolete. |
| 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | No information. | | 0x31 | KRB\_AP\_ERR\_BADSEQ | Incorrect sequence number in message | No information. |
| 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after the user-supplied checksum in the Authenticator MUST be verified against the contents of the request, and the message MUST be rejected if the checksums do not match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum is not collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). | | 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after the user-supplied checksum in the Authenticator MUST be verified against the contents of the request, and the message MUST be rejected if the checksums don't match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum isn't collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). |
| 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. | | 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. |
| 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. | | 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. |
| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.<br>Multiple recent password changes have not propagated.<br>Crypto subsystem error caused by running out of memory.<br>SPN too long.<br>SPN has too many parts. | | 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.<br>Multiple recent password changes hanven't propagated.<br>Crypto subsystem error caused by running out of memory.<br>SPN too long.<br>SPN has too many parts. |
| 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that does not understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. | | 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that doesn't understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. |
| 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when users smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) is not trusted by the domain controller. | | 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when users smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) isn't trusted by the domain controller. |
| 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client does not possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. | | 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client doesn't possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. |
| 0x40 | KDC\_ERR\_INVALID\_SIG | The signature is invalid | This error is related to PKINIT. If a PKI trust relationship exists, the KDC then verifies the client's signature on AuthPack (TGT request signature). If that fails, the KDC returns an error message of type KDC\_ERR\_INVALID\_SIG. | | 0x40 | KDC\_ERR\_INVALID\_SIG | The signature is invalid | This error is related to PKINIT. If a PKI trust relationship exists, the KDC then verifies the client's signature on AuthPack (TGT request signature). If that fails, the KDC returns an error message of type KDC\_ERR\_INVALID\_SIG. |
| 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | A higher encryption level is needed | If the clientPublicValue field is filled in, indicating that the client wishes to use Diffie-Hellman key agreement, then the KDC checks to see that the parameters satisfy its policy. If they do not (e.g., the prime size is insufficient for the expected encryption type), then the KDC sends back an error message of type KDC\_ERR\_KEY\_TOO\_WEAK. | | 0x41 | KDC\_ERR\_KEY\_TOO\_WEAK | A higher encryption level is needed | If the clientPublicValue field is filled in, indicating that the client wishes to use Diffie-Hellman key agreement, then the KDC checks to see that the parameters satisfy its policy. If they don't (e.g., the prime size is insufficient for the expected encryption type), then the KDC sends back an error message of type KDC\_ERR\_KEY\_TOO\_WEAK. |
| 0x42 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | User-to-user authorization is required | In the case that the client application doesn't know that a service requires user-to-user authentication, and requests and receives a conventional KRB\_AP\_REP, the client will send the KRB\_AP\_REP request, and the server will respond with a KRB\_ERROR token as described in [RFC1964](https://tools.ietf.org/html/rfc1964), with a msg-type of KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED. | | 0x42 | KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED | User-to-user authorization is required | In the case that the client application doesn't know that a service requires user-to-user authentication, and requests and receives a conventional KRB\_AP\_REP, the client will send the KRB\_AP\_REP request, and the server will respond with a KRB\_ERROR token as described in [RFC1964](https://tools.ietf.org/html/rfc1964), with a msg-type of KRB\_AP\_ERR\_USER\_TO\_USER\_REQUIRED. |
| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT was presented or available | In user-to-user authentication if the service does not possess a ticket granting ticket, it should return the error KRB\_AP\_ERR\_NO\_TGT. | | 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT was presented or available | In user-to-user authentication if the service doesn't possess a ticket granting ticket, it should return the error KRB\_AP\_ERR\_NO\_TGT. |
| 0x44 | KDC\_ERR\_WRONG\_REALM | Incorrect domain or principal | Although this error rarely occurs, it occurs when a client presents a cross-realm TGT to a realm other than the one specified in the TGT. Typically, this results from incorrectly configured DNS. | | 0x44 | KDC\_ERR\_WRONG\_REALM | Incorrect domain or principal | Although this error rarely occurs, it occurs when a client presents a cross-realm TGT to a realm other than the one specified in the TGT. Typically, this results from incorrectly configured DNS. |
- **Transited Services** \[Type = UnicodeString\]: this field contains list of SPNs which were requested if Kerberos delegation was used. - **Transited Services** \[Type = UnicodeString\]: this field contains list of SPNs which were requested if Kerberos delegation was used.
@ -269,17 +269,17 @@ For 4769(S, F): A Kerberos service ticket was requested.
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Account Information\\Account Name”** that corresponds to the high-value account or accounts. | | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Account Information\\Account Name”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Account Information\\Account Name”** (with other information) to monitor how or when a particular account is being used. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Account Information\\Account Name”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Account Information\\Account Name”** that corresponds to the accounts that should never be used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Account Information\\Account Name”** that corresponds to the accounts that should never be used. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Account Information\\Account Domain”** corresponding to another domain or “external” location. | | **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that aren't allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Account Information\\Account Domain”** corresponding to another domain or “external” location. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Account Information\\Account Name”** that you are concerned about. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Account Information\\Account Name”** that you are concerned about. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that dont comply with naming conventions. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that dont comply with naming conventions. |
- If you know that **Account Name** should never request any tickets for (that is, never get access to) a particular computer account or service account, monitor for [4769](event-4769.md) events with the corresponding **Account Name** and **Service ID** fields. - If you know that **Account Name** should never request any tickets for (that is, never get access to) a particular computer account or service account, monitor for [4769](event-4769.md) events with the corresponding **Account Name** and **Service ID** fields.
- You can track all [4769](event-4769.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges. - You can track all [4769](event-4769.md) events where the **Client Address** isn't from your internal IP range or not from private IP ranges.
- If you know that **Account Name** should be able to request tickets (should be used) only from a known allow list of IP addresses, track all **Client Address** values for this **Account Name** in [4769](event-4769.md) events. If **Client Address** is not from your allow list of IP addresses, generate the alert. - If you know that **Account Name** should be able to request tickets (should be used) only from a known allow list of IP addresses, track all **Client Address** values for this **Account Name** in [4769](event-4769.md) events. If **Client Address** isn't from your allow list of IP addresses, generate the alert.
- All **Client Address** = ::1 means local TGS requests, which means that the **Account Name** logged on to a domain controller before making the TGS request. If you have an allow list of accounts allowed to log on to domain controllers, monitor events with **Client Address** = ::1 and any **Account Name** outside the allow list. - All **Client Address** = `::1` means local TGS requests, which means that the **Account Name** logged on to a domain controller before making the TGS request. If you have an allow list of accounts allowed to log on to domain controllers, monitor events with **Client Address** = `::1` and any **Account Name** outside the allow list.
- All [4769](event-4769.md) events with **Client Port** field value &gt; 0 and &lt; 1024 should be examined, because a well-known port was used for outbound connection. - All [4769](event-4769.md) events with **Client Port** field value &gt; 0 and &lt; 1024 should be examined, because a well-known port was used for outbound connection.

4
windows/security/threat-protection/auditing/event-4770.md
View File

@ -2,7 +2,7 @@
title: 4770(S) A Kerberos service ticket was renewed. (Windows 10) title: 4770(S) A Kerberos service ticket was renewed. (Windows 10)
description: Describes security event 4770(S) A Kerberos service ticket was renewed. description: Describes security event 4770(S) A Kerberos service ticket was renewed.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4770(S): A Kerberos service ticket was renewed. # 4770(S): A Kerberos service ticket was renewed.

4
windows/security/threat-protection/auditing/event-4771.md
View File

@ -2,7 +2,7 @@
title: 4771(F) Kerberos pre-authentication failed. (Windows 10) title: 4771(F) Kerberos pre-authentication failed. (Windows 10)
description: Describes security event 4771(F) Kerberos pre-authentication failed. This event is generated when the Key Distribution Center fails to issue a Kerberos TGT. description: Describes security event 4771(F) Kerberos pre-authentication failed. This event is generated when the Key Distribution Center fails to issue a Kerberos TGT.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4771(F): Kerberos pre-authentication failed. # 4771(F): Kerberos pre-authentication failed.

4
windows/security/threat-protection/auditing/event-4772.md
View File

@ -2,7 +2,7 @@
title: 4772(F) A Kerberos authentication ticket request failed. (Windows 10) title: 4772(F) A Kerberos authentication ticket request failed. (Windows 10)
description: Describes security event 4772(F) A Kerberos authentication ticket request failed. description: Describes security event 4772(F) A Kerberos authentication ticket request failed.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4772(F): A Kerberos authentication ticket request failed. # 4772(F): A Kerberos authentication ticket request failed.

4
windows/security/threat-protection/auditing/event-4773.md
View File

@ -2,7 +2,7 @@
title: 4773(F) A Kerberos service ticket request failed. (Windows 10) title: 4773(F) A Kerberos service ticket request failed. (Windows 10)
description: Describes security event 4773(F) A Kerberos service ticket request failed. description: Describes security event 4773(F) A Kerberos service ticket request failed.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4773(F): A Kerberos service ticket request failed. # 4773(F): A Kerberos service ticket request failed.

4
windows/security/threat-protection/auditing/event-4774.md
View File

@ -2,7 +2,7 @@
title: 4774(S, F) An account was mapped for logon. (Windows 10) title: 4774(S, F) An account was mapped for logon. (Windows 10)
description: Describes security event 4774(S, F) An account was mapped for logon. This event is generated when an account is mapped for logon. description: Describes security event 4774(S, F) An account was mapped for logon. This event is generated when an account is mapped for logon.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4774(S, F): An account was mapped for logon # 4774(S, F): An account was mapped for logon

4
windows/security/threat-protection/auditing/event-4775.md
View File

@ -2,7 +2,7 @@
title: 4775(F) An account could not be mapped for logon. (Windows 10) title: 4775(F) An account could not be mapped for logon. (Windows 10)
description: Describes security event 4775(F) An account could not be mapped for logon. description: Describes security event 4775(F) An account could not be mapped for logon.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4775(F): An account could not be mapped for logon. # 4775(F): An account could not be mapped for logon.

18
windows/security/threat-protection/auditing/event-4776.md
View File

@ -2,7 +2,7 @@
title: 4776(S, F) The computer attempted to validate the credentials for an account. (Windows 10) title: 4776(S, F) The computer attempted to validate the credentials for an account. (Windows 10)
description: Describes security event 4776(S, F) The computer attempted to validate the credentials for an account. description: Describes security event 4776(S, F) The computer attempted to validate the credentials for an account.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/13/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4776(S, F): The computer attempted to validate the credentials for an account. # 4776(S, F): The computer attempted to validate the credentials for an account.
@ -29,13 +29,13 @@ This event occurs only on the computer that is authoritative for the provided cr
It shows successful and unsuccessful credential validation attempts. It shows successful and unsuccessful credential validation attempts.
It shows only the computer name (**Source Workstation**) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you will see CLIENT-1 in the **Source Workstation** field. Information about the destination computer (SERVER-1) is not presented in this event. It shows only the computer name (**Source Workstation**) from which the authentication attempt was performed (authentication source). For example, if you authenticate from CLIENT-1 to SERVER-1 using a domain account you'll see CLIENT-1 in the **Source Workstation** field. Information about the destination computer (SERVER-1) isn't presented in this event.
If a credential validation attempt fails, you will see a Failure event with **Error Code** parameter value not equal to “**0x0**”. If a credential validation attempt fails, you'll see a Failure event with **Error Code** parameter value not equal to “**0x0**”.
The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used. The main advantage of this event is that on domain controllers you can see all authentication attempts for domain accounts when NTLM authentication was used.
For monitoring local account logon attempts, it is better to use event “[4624](event-4624.md): An account was successfully logged on” because it contains more details and is more informative. For monitoring local account logon attempts, it's better to use event “[4624](event-4624.md): An account was successfully logged on” because it contains more details and is more informative.
This event also generates when a workstation unlock event occurs. This event also generates when a workstation unlock event occurs.
@ -82,7 +82,7 @@ This event does *not* generate when a domain account logs on locally to a domain
***Field Descriptions:*** ***Field Descriptions:***
- **Authentication Package** \[Type = UnicodeString\]: the name of [Authentication Package](/windows/win32/secauthn/authentication-packages) which was used for credential validation. It is always “**MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0**” for [4776](event-4776.md) event. - **Authentication Package** \[Type = UnicodeString\]: the name of [Authentication Package](/windows/win32/secauthn/authentication-packages) that was used for credential validation. It's always “**MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0**” for [4776](event-4776.md) event.
> **Note**&nbsp;&nbsp;**Authentication package** is a DLL that encapsulates the authentication logic used to determine whether to permit a user to log on. [Local Security Authority](/windows/win32/secgloss/l-gly#_security_local_security_authority_gly) (LSA) authenticates a user logon by sending the request to an authentication package. The authentication package then examines the logon information and either authenticates or rejects the user logon attempt. > **Note**&nbsp;&nbsp;**Authentication package** is a DLL that encapsulates the authentication logic used to determine whether to permit a user to log on. [Local Security Authority](/windows/win32/secgloss/l-gly#_security_local_security_authority_gly) (LSA) authenticates a user logon by sending the request to an authentication package. The authentication package then examines the logon information and either authenticates or rejects the user logon attempt.
@ -127,14 +127,14 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.<br>To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. | | **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.<br>To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. | | **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. |
| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Logon Account”** for accounts that are outside the allow list. | | **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Logon Account”** for accounts that are outside the allow list. |
| **Restricted-use computers**: You might have certain computers from which certain people (accounts) should not log on. | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you are concerned about. | | **Restricted-use computers**: You might have certain computers from which certain people (accounts) shouldn't log on. | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you're concerned about. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Logon Account”** for names that dont comply with naming conventions. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Logon Account”** for names that dont comply with naming conventions. |
- If NTLM authentication should not be used for a specific account, monitor for that account. Dont forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored. - If NTLM authentication shouldn't be used for a specific account, monitor for that account. Dont forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored.
- You can use this event to collect all NTLM authentication attempts in the domain, if needed. Dont forget that local logon will always use NTLM authentication if the account logs on to a device where its user account is stored. - You can use this event to collect all NTLM authentication attempts in the domain, if needed. Dont forget that local logon will always use NTLM authentication if the account logs on to a device where its user account is stored.
- If a local account should be used only locally (for example, network logon or terminal services logon is not allowed), you need to monitor for all events where **Source Workstation** and **Computer** (where the event was generated and where the credentials are stored) have different values. - If a local account should be used only locally (for example, network logon or terminal services logon isn't allowed), you need to monitor for all events where **Source Workstation** and **Computer** (where the event was generated and where the credentials are stored) have different values.
- Consider tracking the following errors for the reasons listed: - Consider tracking the following errors for the reasons listed:

4
windows/security/threat-protection/auditing/event-4777.md
View File

@ -2,7 +2,7 @@
title: 4777(F) The domain controller failed to validate the credentials for an account. (Windows 10) title: 4777(F) The domain controller failed to validate the credentials for an account. (Windows 10)
description: Describes security event 4777(F) The domain controller failed to validate the credentials for an account. description: Describes security event 4777(F) The domain controller failed to validate the credentials for an account.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4777(F): The domain controller failed to validate the credentials for an account. # 4777(F): The domain controller failed to validate the credentials for an account.

4
windows/security/threat-protection/auditing/event-4778.md
View File

@ -2,7 +2,7 @@
title: 4778(S) A session was reconnected to a Window Station. (Windows 10) title: 4778(S) A session was reconnected to a Window Station. (Windows 10)
description: Describes security event 4778(S) A session was reconnected to a Window Station. description: Describes security event 4778(S) A session was reconnected to a Window Station.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4778(S): A session was reconnected to a Window Station. # 4778(S): A session was reconnected to a Window Station.

4
windows/security/threat-protection/auditing/event-4779.md
View File

@ -2,7 +2,7 @@
title: 4779(S) A session was disconnected from a Window Station. (Windows 10) title: 4779(S) A session was disconnected from a Window Station. (Windows 10)
description: Describes security event 4779(S) A session was disconnected from a Window Station. description: Describes security event 4779(S) A session was disconnected from a Window Station.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4779(S): A session was disconnected from a Window Station. # 4779(S): A session was disconnected from a Window Station.

4
windows/security/threat-protection/auditing/event-4780.md
View File

@ -2,7 +2,7 @@
title: 4780(S) The ACL was set on accounts which are members of administrators groups. (Windows 10) title: 4780(S) The ACL was set on accounts which are members of administrators groups. (Windows 10)
description: Describes security event 4780(S) The ACL was set on accounts which are members of administrators groups. description: Describes security event 4780(S) The ACL was set on accounts which are members of administrators groups.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4780(S): The ACL was set on accounts which are members of administrators groups. # 4780(S): The ACL was set on accounts which are members of administrators groups.

4
windows/security/threat-protection/auditing/event-4781.md
View File

@ -2,7 +2,7 @@
title: 4781(S) The name of an account was changed. (Windows 10) title: 4781(S) The name of an account was changed. (Windows 10)
description: Describes security event 4781(S) The name of an account was changed. This event is generated every time a user or computer account name is changed. description: Describes security event 4781(S) The name of an account was changed. This event is generated every time a user or computer account name is changed.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4781(S): The name of an account was changed. # 4781(S): The name of an account was changed.

4
windows/security/threat-protection/auditing/event-4782.md
View File

@ -2,7 +2,7 @@
title: 4782(S) The password hash of an account was accessed. (Windows 10) title: 4782(S) The password hash of an account was accessed. (Windows 10)
description: Describes security event 4782(S) The password hash of an account was accessed. description: Describes security event 4782(S) The password hash of an account was accessed.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4782(S): The password hash of an account was accessed. # 4782(S): The password hash of an account was accessed.

4
windows/security/threat-protection/auditing/event-4793.md
View File

@ -2,7 +2,7 @@
title: 4793(S) The Password Policy Checking API was called. (Windows 10) title: 4793(S) The Password Policy Checking API was called. (Windows 10)
description: Describes security event 4793(S) The Password Policy Checking API was called. description: Describes security event 4793(S) The Password Policy Checking API was called.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4793(S): The Password Policy Checking API was called. # 4793(S): The Password Policy Checking API was called.

4
windows/security/threat-protection/auditing/event-4794.md
View File

@ -2,7 +2,7 @@
title: 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password. (Windows 10) title: 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password. (Windows 10)
description: Describes security event 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password. description: Describes security event 4794(S, F) An attempt was made to set the Directory Services Restore Mode administrator password.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4794(S, F): An attempt was made to set the Directory Services Restore Mode administrator password. # 4794(S, F): An attempt was made to set the Directory Services Restore Mode administrator password.

4
windows/security/threat-protection/auditing/event-4798.md
View File

@ -2,7 +2,7 @@
title: 4798(S) A user's local group membership was enumerated. (Windows 10) title: 4798(S) A user's local group membership was enumerated. (Windows 10)
description: Describes security event 4798(S) A user's local group membership was enumerated. description: Describes security event 4798(S) A user's local group membership was enumerated.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4798(S): A user's local group membership was enumerated. # 4798(S): A user's local group membership was enumerated.

4
windows/security/threat-protection/auditing/event-4799.md
View File

@ -2,7 +2,7 @@
title: 4799(S) A security-enabled local group membership was enumerated. (Windows 10) title: 4799(S) A security-enabled local group membership was enumerated. (Windows 10)
description: Describes security event 4799(S) A security-enabled local group membership was enumerated. description: Describes security event 4799(S) A security-enabled local group membership was enumerated.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4799(S): A security-enabled local group membership was enumerated. # 4799(S): A security-enabled local group membership was enumerated.

4
windows/security/threat-protection/auditing/event-4800.md
View File

@ -2,7 +2,7 @@
title: 4800(S) The workstation was locked. (Windows 10) title: 4800(S) The workstation was locked. (Windows 10)
description: Describes security event 4800(S) The workstation was locked. This event is generated when a workstation is locked. description: Describes security event 4800(S) The workstation was locked. This event is generated when a workstation is locked.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4800(S): The workstation was locked. # 4800(S): The workstation was locked.

4
windows/security/threat-protection/auditing/event-4801.md
View File

@ -2,7 +2,7 @@
title: 4801(S) The workstation was unlocked. (Windows 10) title: 4801(S) The workstation was unlocked. (Windows 10)
description: Describes security event 4801(S) The workstation was unlocked. This event is generated when workstation is unlocked. description: Describes security event 4801(S) The workstation was unlocked. This event is generated when workstation is unlocked.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4801(S): The workstation was unlocked. # 4801(S): The workstation was unlocked.

4
windows/security/threat-protection/auditing/event-4802.md
View File

@ -2,7 +2,7 @@
title: 4802(S) The screen saver was invoked. (Windows 10) title: 4802(S) The screen saver was invoked. (Windows 10)
description: Describes security event 4802(S) The screen saver was invoked. This event is generated when screen saver is invoked. description: Describes security event 4802(S) The screen saver was invoked. This event is generated when screen saver is invoked.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4802(S): The screen saver was invoked. # 4802(S): The screen saver was invoked.

4
windows/security/threat-protection/auditing/event-4803.md
View File

@ -2,7 +2,7 @@
title: 4803(S) The screen saver was dismissed. (Windows 10) title: 4803(S) The screen saver was dismissed. (Windows 10)
description: Describes security event 4803(S) The screen saver was dismissed. This event is generated when screen saver is dismissed. description: Describes security event 4803(S) The screen saver was dismissed. This event is generated when screen saver is dismissed.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4803(S): The screen saver was dismissed. # 4803(S): The screen saver was dismissed.

4
windows/security/threat-protection/auditing/event-4816.md
View File

@ -2,7 +2,7 @@
title: 4816(S) RPC detected an integrity violation while decrypting an incoming message. (Windows 10) title: 4816(S) RPC detected an integrity violation while decrypting an incoming message. (Windows 10)
description: Describes security event 4816(S) RPC detected an integrity violation while decrypting an incoming message. description: Describes security event 4816(S) RPC detected an integrity violation while decrypting an incoming message.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4816(S): RPC detected an integrity violation while decrypting an incoming message. # 4816(S): RPC detected an integrity violation while decrypting an incoming message.

4
windows/security/threat-protection/auditing/event-4817.md
View File

@ -2,7 +2,7 @@
title: 4817(S) Auditing settings on object were changed. (Windows 10) title: 4817(S) Auditing settings on object were changed. (Windows 10)
description: Describes security event 4817(S) Auditing settings on object were changed. description: Describes security event 4817(S) Auditing settings on object were changed.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4817(S): Auditing settings on object were changed. # 4817(S): Auditing settings on object were changed.

4
windows/security/threat-protection/auditing/event-4818.md
View File

@ -2,7 +2,7 @@
title: 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. (Windows 10) title: 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. (Windows 10)
description: Describes security event 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. description: Describes security event 4818(S) Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy. # 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.

4
windows/security/threat-protection/auditing/event-4819.md
View File

@ -2,7 +2,7 @@
title: 4819(S) Central Access Policies on the machine have been changed. (Windows 10) title: 4819(S) Central Access Policies on the machine have been changed. (Windows 10)
description: Describes security event 4819(S) Central Access Policies on the machine have been changed. description: Describes security event 4819(S) Central Access Policies on the machine have been changed.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4819(S): Central Access Policies on the machine have been changed. # 4819(S): Central Access Policies on the machine have been changed.

4
windows/security/threat-protection/auditing/event-4826.md
View File

@ -2,7 +2,7 @@
title: 4826(S) Boot Configuration Data loaded. (Windows 10) title: 4826(S) Boot Configuration Data loaded. (Windows 10)
description: Describes security event 4826(S) Boot Configuration Data loaded. This event is generated every time system starts and loads Boot Configuration Data settings. description: Describes security event 4826(S) Boot Configuration Data loaded. This event is generated every time system starts and loads Boot Configuration Data settings.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4826(S): Boot Configuration Data loaded. # 4826(S): Boot Configuration Data loaded.

4
windows/security/threat-protection/auditing/event-4864.md
View File

@ -2,7 +2,7 @@
title: 4864(S) A namespace collision was detected. (Windows 10) title: 4864(S) A namespace collision was detected. (Windows 10)
description: Describes security event 4864(S) A namespace collision was detected. This event is generated when a namespace collision is detected. description: Describes security event 4864(S) A namespace collision was detected. This event is generated when a namespace collision is detected.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4864(S): A namespace collision was detected. # 4864(S): A namespace collision was detected.

4
windows/security/threat-protection/auditing/event-4865.md
View File

@ -2,7 +2,7 @@
title: 4865(S) A trusted forest information entry was added. (Windows 10) title: 4865(S) A trusted forest information entry was added. (Windows 10)
description: Describes security event 4865(S) A trusted forest information entry was added. description: Describes security event 4865(S) A trusted forest information entry was added.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4865(S): A trusted forest information entry was added. # 4865(S): A trusted forest information entry was added.

4
windows/security/threat-protection/auditing/event-4866.md
View File

@ -2,7 +2,7 @@
title: 4866(S) A trusted forest information entry was removed. (Windows 10) title: 4866(S) A trusted forest information entry was removed. (Windows 10)
description: Describes security event 4866(S) A trusted forest information entry was removed. description: Describes security event 4866(S) A trusted forest information entry was removed.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4866(S): A trusted forest information entry was removed. # 4866(S): A trusted forest information entry was removed.

4
windows/security/threat-protection/auditing/event-4867.md
View File

@ -2,7 +2,7 @@
title: 4867(S) A trusted forest information entry was modified. (Windows 10) title: 4867(S) A trusted forest information entry was modified. (Windows 10)
description: Describes security event 4867(S) A trusted forest information entry was modified. description: Describes security event 4867(S) A trusted forest information entry was modified.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4867(S): A trusted forest information entry was modified. # 4867(S): A trusted forest information entry was modified.

4
windows/security/threat-protection/auditing/event-4902.md
View File

@ -2,7 +2,7 @@
title: 4902(S) The Per-user audit policy table was created. (Windows 10) title: 4902(S) The Per-user audit policy table was created. (Windows 10)
description: Describes security event 4902(S) The Per-user audit policy table was created. description: Describes security event 4902(S) The Per-user audit policy table was created.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4902(S): The Per-user audit policy table was created. # 4902(S): The Per-user audit policy table was created.

4
windows/security/threat-protection/auditing/event-4904.md
View File

@ -2,7 +2,7 @@
title: 4904(S) An attempt was made to register a security event source. (Windows 10) title: 4904(S) An attempt was made to register a security event source. (Windows 10)
description: Describes security event 4904(S) An attempt was made to register a security event source. description: Describes security event 4904(S) An attempt was made to register a security event source.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/07/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4904(S): An attempt was made to register a security event source. # 4904(S): An attempt was made to register a security event source.

4
windows/security/threat-protection/auditing/event-4905.md
View File

@ -2,7 +2,7 @@
title: 4905(S) An attempt was made to unregister a security event source. (Windows 10) title: 4905(S) An attempt was made to unregister a security event source. (Windows 10)
description: Describes security event 4905(S) An attempt was made to unregister a security event source. description: Describes security event 4905(S) An attempt was made to unregister a security event source.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/08/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4905(S): An attempt was made to unregister a security event source. # 4905(S): An attempt was made to unregister a security event source.

4
windows/security/threat-protection/auditing/event-4906.md
View File

@ -2,7 +2,7 @@
title: 4906(S) The CrashOnAuditFail value has changed. (Windows 10) title: 4906(S) The CrashOnAuditFail value has changed. (Windows 10)
description: Describes security event 4906(S) The CrashOnAuditFail value has changed. description: Describes security event 4906(S) The CrashOnAuditFail value has changed.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/08/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4906(S): The CrashOnAuditFail value has changed. # 4906(S): The CrashOnAuditFail value has changed.

4
windows/security/threat-protection/auditing/event-4907.md
View File

@ -2,7 +2,7 @@
title: 4907(S) Auditing settings on object were changed. (Windows 10) title: 4907(S) Auditing settings on object were changed. (Windows 10)
description: Describes security event 4907(S) Auditing settings on object were changed. description: Describes security event 4907(S) Auditing settings on object were changed.
ms.pagetype: security ms.pagetype: security
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
@ -11,7 +11,7 @@ ms.date: 09/08/2021
ms.reviewer: ms.reviewer:
manager: aaroncz manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.technology: windows-sec ms.technology: itpro-security
--- ---
# 4907(S): Auditing settings on object were changed. # 4907(S): Auditing settings on object were changed.